Who we are
RefClin ("RefClin", "we", "us") operates the RefClin clinical referral platform. Our registered/contact address is the United Kingdom.
RefClin handles personal data in two distinct roles:
- As a data processor. When a dental practice or clinic uses RefClin to send, receive or manage a clinical referral, the practices involved are the data controllers of the patient data. RefClin processes that patient data on their behalf and on their documented instructions, under a Data Processing Agreement. We do not decide the purposes for which patient clinical data is used.
- As a data controller. For the data we need to run our business — account and login details of clinic staff, billing records, support correspondence, and website analytics where consented — RefClin is the controller. This Privacy Policy explains that controller activity, and how patient data is safeguarded as a processor.
The personal data we process
Account & staff data (controller): name, work email, role, hashed password, login and audit metadata.
Patient & clinical data (processor): patient demographics, contact details, medical history, clinical notes, radiographs and other uploaded documents, and consent records — submitted by a referring practice and shared with the receiving clinic to deliver the referral. This includes special-category data concerning health (UK GDPR Article 9).
Billing data (controller): plan, billing status and invoicing details. Card payments, when enabled, are handled by our payment processor; we do not store full card numbers.
Technical & usage data: IP address, device/browser information, and — only with your consent — analytics about how the site is used.
Lawful bases
- Account, security and service delivery (controller): performance of our contract with your practice (Article 6(1)(b)) and our legitimate interests in operating and securing the platform (Article 6(1)(f)).
- Patient clinical data (processor): the lawful basis is determined by the controlling practice. Typically this is the provision of health/dental care (Article 6(1)(e)/(f) with the Article 9(2)(h) condition for health data), with patient consent captured per referral where required.
- Marketing & analytics cookies: your consent (Article 6(1)(a) and the Privacy and Electronic Communications Regulations 2003).
How we use the data
We use it to authenticate users, deliver and track referrals between practices, store and transmit clinical documents securely, provide support, send service (non-marketing) emails, meet legal and regulatory obligations, and — where consented — measure and improve the site.
Sharing and sub-processors
We do not sell personal data. We share it only with vetted sub-processors under contract, including: object storage (S3-compatible storage hosted in the EEA/UK), and our transactional email provider. Patient data is only ever transmitted to recipients covered by a Data Processing Agreement. We may disclose data where required by law or to protect our rights.
International transfers
We host and process clinical data within the UK or the EEA. Where any transfer outside the UK/EEA is unavoidable, we rely on an adequacy decision or appropriate safeguards (such as the International Data Transfer Agreement / Standard Contractual Clauses).
Retention
Account and billing data is kept for the life of the relationship and for as long afterwards as the law requires. Patient clinical data is retained according to the controlling practice's instructions and applicable clinical record-retention rules; on termination it is returned or securely deleted per the Data Processing Agreement. Audit logs are append-only and retained for security and accountability.
Security
We apply technical and organisational measures including encryption in transit and at rest, strict per-tenant isolation, role-based access, append-only audit logging, and least-privilege access controls. No system is perfectly secure, but we work to protect your data and to notify you and the regulator of any qualifying breach without undue delay.
Your rights
Subject to your role and our processor obligations, you have the right to access, rectify, erase, restrict, and port your personal data, and to object to certain processing. Patients should exercise their rights with the dental practice that holds their record (the controller); we will assist that practice as their processor. For data where we are the controller, contact us using the details below. You can withdraw cookie consent at any time via "Cookie settings".
Cookies
We use cookies and similar technologies as described in our Cookie Policy.
Contact & complaints
For privacy questions or to exercise your rights, contact us at privacy@refclin.ai. If you are not satisfied, you can complain to the UK Information Commissioner's Office (ICO) at ico.org.uk.
Changes
We may update this policy from time to time. Material changes will be reflected here with a revised "last updated" date.